| makeresults | eval spliced=mvappend( "@ Timestamp1 @ ProcessInformation.Process @ @ Message: Help. Reason: This is going to be cut out at the 256th c", "@ Timestamp2 @ ProcessInformation.Process @ 2 @ h a tota", "@ Timestamp2 @ ProcessInformation.Process @ 3 @ l of 5 out-o", "@ Timestamp1 @ ProcessInformation.Process @ 1 @ haracter", "@ Timestamp2 @ ProcessInformation.Process @ 1 @ age wit", "@ Timestamp2 @ ProcessInformation.Process @ 4 @ f-sequence parts", "@ Timestamp2 @ ProcessInformation.Process @ @ Message: This is a mess") | mvexpand spliced | rename spliced as _raw | rex "^@ (?<timestamp>[^@]+) @ (?<ProcessId>[^@]+) @ (?<sequence>[^@]*)\s*@ (?<message>.+)" | eval sequence = if(sequence == "", 0, sequence) ``` change to <Null> if that's literal ``` | sort 0 sequence ProcessId timestamp | streamstats count(eval(sequence==0)) AS sessionID by ProcessId timestamp | stats min(_time) AS _time list(message) AS message BY sessionID ProcessId timestamp | rex field=message mode=sed "s/$/:::/" | nomv message | rex field=message mode=sed "s/:::\s*//g"
... View more